diff --git a/CHANGELOG-developer.asciidoc b/CHANGELOG-developer.asciidoc index 15efed8ed5df..33a957a6d6a2 100644 --- a/CHANGELOG-developer.asciidoc +++ b/CHANGELOG-developer.asciidoc @@ -12,6 +12,12 @@ other Beats should be migrated. Note: This changelog was only started after the 6.3 release. +=== Beats version 8.0.0 +https://github.com/elastic/beats/compare/v7.x..master[Check the HEAD diff] + +==== Breaking changes + - Replace custom Pins type for a slice of string for defining the `ca_sha256` values. + === Beats version 7.5.1 https://github.com/elastic/beats/compare/v7.5.0..v7.5.1[Check the HEAD diff] diff --git a/libbeat/common/transport/tlscommon/ca_pinning.go b/libbeat/common/transport/tlscommon/ca_pinning.go index d83bf533d130..e489ca6d6f43 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning.go +++ b/libbeat/common/transport/tlscommon/ca_pinning.go @@ -28,17 +28,6 @@ import ( // ErrCAPinMissmatch is returned when no pin is matched in the verified chain. var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate") -type pins []string - -func (p pins) Matches(candidate string) bool { - for _, pin := range p { - if pin == candidate { - return true - } - } - return false -} - // verifyPeerCertFunc is a callback defined on the tls.Config struct that will called when a // TLS connection is used. type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error @@ -48,7 +37,7 @@ type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error // NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's // an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the // verifiedChains variable will be empty and the added validation will fail. -func MakeCAPinCallback(hashes pins) func([][]byte, [][]*x509.Certificate) error { +func MakeCAPinCallback(hashes []string) func([][]byte, [][]*x509.Certificate) error { return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error { // The chain of trust has been already established before the call to the VerifyPeerCertificate // function, after we go through the chain to make sure we have at least a certificate certificate @@ -56,7 +45,7 @@ func MakeCAPinCallback(hashes pins) func([][]byte, [][]*x509.Certificate) error for _, chain := range verifiedChains { for _, certificate := range chain { h := Fingerprint(certificate) - if hashes.Matches(h) { + if matches(hashes, h) { return nil } } @@ -71,3 +60,12 @@ func Fingerprint(certificate *x509.Certificate) string { hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo) return base64.StdEncoding.EncodeToString(hash[:]) } + +func matches(pins []string, candidate string) bool { + for _, pin := range pins { + if pin == candidate { + return true + } + } + return false +} diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go index 3fdaeced560b..8d7650eb5bfd 100644 --- a/libbeat/common/transport/tlscommon/config.go +++ b/libbeat/common/transport/tlscommon/config.go @@ -33,7 +33,7 @@ type Config struct { Certificate CertificateConfig `config:",inline" yaml:",inline"` CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"` Renegotiation tlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"` - CASha256 pins `config:"ca_sha256" yaml:"ca_sha256,omitempty"` + CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` } // LoadTLSConfig will load a certificate from config with all TLS based keys diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 41c574bc078a..5d8ce9360292 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -67,7 +67,7 @@ type TLSConfig struct { // CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust // the server certificate. - CASha256 pins + CASha256 []string } // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with